Characteristics of a redirect landing site!

Something utterly wrong here: http://thednsreport.com/?domain=hinia.zyns.com
Detected IDS for Detected a Dynamic DNS URL → http://urlquery.net/report.php?id=8306474
Additional:
Suspicious javascript file: /javascript%3Avoid%280%29
Severity: Potentially Suspicious
Reason: Detected unconditional redirection to external web resource.
Details:
Threat dump: []
Which is a PHISH, currently offline. Why to stay away, read →
http://www.warriorforum.com/warrior-forum-classified-ads/867226-adfly-stay-away-adfly.html (traffic targeter)
File size[byte]: 4666
File type: ASCII
MD5: F760BDB857648F3C07D280CE476ABD4D
Scan duration[sec]: 0.004000

Also see: http://maldb.com/catsalesonline.com/http://evuln.com/labs/hinia.zyns.com/http://labs.sucuri.net/?details=hinia.zyns.com

polonus

Something similar but from another scanning angle: https://asafaweb.com/Scan?Url=kmlps.mrslove.com

polonus

This redirecting site has Joomla issues: Joomla Version 2.5.x - 3.0.x for: http://lisaads.biz//media/system/js/caption.js
Nothing detected through Web Security Test, Redirects flagged here: http://maldb.com/lisaads.biz/
and here: http://evuln.com/tools/malware-scanner/lisaads.biz/rescan/
Has it been taken down, I get: Database connection error (2): Could not connect to MySQL.
Header response: HTTP/1.1 200 OK
Date: Tue, 10 Dec 2013 18:33:19 GMT
Server: Apache
Last-Modified: Fri, 26 Apr 2013 01:37:05 GMT
Accept-Ranges: bytes
Content-Length: 76
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

pageok

Nothing detected here: http://zulu.zscaler.com/submission/show/e19b17164cb70d9494a9a7abda889973-1386700619

pol

Another one with other characteristics, redirected from wXw.samedcliff.com
Sucuri detects: http://sitecheck.sucuri.net/results/www.samedcliff.com - Joomlas issues reported.
See: http://evuln.com/tools/malware-scanner/samedcliff.com/
iFrame check there: Suspicious
htxp://twubs.com/embed/jobs/?messagesperpage=50&headerbgcolor=%231c6485&headertextcolor=%23ffffff’
external link going to htxp://www.hiringjobtweets.com
Also read: http://productforums.google.com/forum/#!msg/webmasters/gFnQ7hRMwsA/h623ted9ys0J
Nothing here: http://app.webinspector.com/public/reports/18834194
PHISH sites on 27.254.36.205
Our forum friend, Redleg. gives an explanation on this redirect on productforums-google:

Redirects to http:// dear . lflinkup . com/ are typically done using a bit of obfuscated php code. The code will start out something like this

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxt…

pol

Quite another one here: http://maldb.com/approvalvoting.net/# (verdict; suspicious)
Sucuri says: Joomla version outdated: Upgrade rehttp://labs.sucuri.net/db/malware/500-error?v1quired.
and Joomla Version 2.5.x - 3.0.x for: http://approvalvoting.net/media/system/js/caption.js
Joomla Version 2.5.0 to 2.5.2 for: http://approvalvoting.net/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
On IP one malware site alive and kicking malcode: http://support.clean-mx.de/clean-mx/viruses.php?review=184.168.36.1&sort=id%20DESC
Redirect is malicious: http://scanurl.net/?u=+http%3A%2F%2Fwww.cibonline.org%2Fcache%2Fmod_poll%2F7c7478fde2f89a23.php&uesb=Check+This+URL#results
Redirect to this URL found in 3748 sites
Nothing here: http://zulu.zscaler.com/submission/show/b5330f0e4288150efee8d846eeb8e676-1386797992

Code hick-up → wXw.approvalvoting.net/plugins/system/modalizer/modals/jquery.min.js benign
[nothing detected] (script) wXw.approvalvoting.net/plugins/system/modalizer/modals/jquery.min.js
status: (referer=wXw.approvalvoting.net/)saved 91368 bytes 36cb5e0c8efb7282390abb518378de7f031309e5
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function a.getElementsByTagName
error: undefined variable a
suspicious:

polonus

Not a single one of the URLs here is blocked by Emsisoft or Kaspersky. :wink:

Hi Steven Winderlich,

Some of these redirect detections are rather shortlived.
So some of these scan results may already be history, in the past, Vergangenheit!
Some of the scanners even on a re-scan come up with non-actuals.
So sub-scanners like http://evuln.com/tools/malware-scanner/ and http://maldb.com/
should be checked against others to check the validity of their scan results.
Some are good and genuine,
but I would not advise to go there for support :wink:
For support go to the guys behind Sucuri’s and the scan team at: http://www.websicherheit.at/

So take the results I presented here “cum granis solis” (well let us make this a small bag of salt),

Damian